Skip to content

Instantly share code, notes, and snippets.

View andrewchiles's full-sized avatar

Andrew Chiles andrewchiles

170 followers · 9 following
View GitHub Profile
@HackingLZ
HackingLZ / EDR_SKILL.md
Last active May 6, 2026 18:21
EDR Skill
name edr-reverse-engineering
description Standardized workflow for reverse engineering endpoint security products, including extraction, decompilation, rule and model recovery, vulnerability analysis, detection gap analysis, proof-of-concept planning, live probes, and stakeholder reports. Use when Claude is asked to analyze an endpoint detection and response product, endpoint protection agent, security sensor, antivirus engine, or similar endpoint security package from installer artifacts, extracted binaries, live systems, or prior workspace outputs.

EDR Reverse Engineering

Use this skill to run a complete, repeatable reverse-engineering workflow for endpoint security products. Apply the same structure to every product so outputs can be compared across analyses and future work can resume without rediscovery.

@EvanMcBroom
EvanMcBroom / sms-crypto-unobfuscate-string.c
Last active January 24, 2024 23:48
SCCM Credential Recovery for Network Access Accounts
/*
* Research by Evan McBroom and Chris Thompson (@_Mayyhem)
* Roger Zander made security recommendations for SCCM based on the claim that NAA credentials could be recovered.
* Source: https://rzander.azurewebsites.net/network-access-accounts-are-evil/
* Roger stated that recover was "possible with a few lines of code" but did not provide any code. Here is working code.
*/
#include <Windows.h>
#include <stdio.h>
@matterpreter
matterpreter / RpcParser.java
Last active March 9, 2022 00:21
Ghidra RPC procedure identification script
//Locate RPC procecures inside of server code
//@author Matt Hand (@matterpreter) based on original work by Sektor7 Labs (@reenz0h)
//@category Functions
//@keybinding
//@menupath
//@toolbar
import ghidra.app.script.GhidraScript;
import ghidra.program.model.block.*;
import ghidra.program.model.symbol.*;
@gladiatx0r
gladiatx0r / Workstation-Takeover.md
Last active August 25, 2025 14:06
From RPC to RCE - Workstation Takeover via RBCD and MS-RPChoose-Your-Own-Adventure

Overview

In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;

  • Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
  • Relaying that machine authentication to LDAPS for configuring RBCD
  • RBCD takeover

The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.

@vestjoe
vestjoe / stageless_payload_generator.cna
Last active August 6, 2021 15:26
# Staged Payload Generator
# Author: @joevest
# Generates all stageless payload types for each current listener
# Directory for Payloads
mkdir("/payloads");
println("Stageless Payload Generator");
menubar("Stageless Payload Generator", "payloadgenerator");
@rsmudge
rsmudge / search.cna
Last active May 3, 2024 16:02
Search scrollback for a Beacon (even the stuff that's cut off)
# search for and reproduce output that matches a specific regex.
alias search {
local('$regex $regex2 $entry $event $bid $out $when');
# take all of the args, without processing/parsing as normal.
if (strlen($0) > 7) {
$regex = substr($0, 7);
}
else {
berror($1, "search [regex]");
@Cyb3rWard0g
Cyb3rWard0g / COMPlus_ETWEnabled_detection_notes.md
Last active November 23, 2023 20:05

Initial Notes:

  • The .NET Runtime Event Provider requires setting COMPLUS_ETWEnabled=1 in your process' environment.
  • CLRConfig will look for configurations in the following places in the following order:
    • Look at environment variables (prepending COMPlus_ to the name)
    • Look at the framework registry keys (HKCU\Software\Microsoft\.NETFramework
    • Look at the framework registry keys HKLM\Software\Microsoft\.NETFramework)
  • These can be set in the following ways:
    • Setting the environment variable COMPlus_:
  • Windows
@monoxgas
monoxgas / mscorlib_load_assembly.vba
Last active May 18, 2023 13:30
VBA code for calling AppDomain.Load using raw vtable lookups for the IUnknown
' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb
Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long
Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr)
Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr
#If Win64 Then
Const LS As LongPtr = 8&
#Else
Const LS As LongPtr = 4&
@djhohnstein
djhohnstein / tasks.cs
Created August 19, 2019 14:51
Create a .NET Type Dynamically at Runtime, Execute in Script. Prototype DynamicWrapperX , but not posting that publicly
using System;
using System.EnterpriseServices;
using System.Runtime.InteropServices;
using System.Reflection;
using System.Reflection.Emit;
using System.Collections;
using System.Collections.Generic;
@TarlogicSecurity
TarlogicSecurity / kerberos_attacks_cheatsheet.md
Created May 14, 2019 13:33
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module: